NetBSD Packet Filter information

The OpenBSD Packet Filter
has been integrated in NetBSD since July 2004 and the first supporting
release was
NetBSD 3.0.
Usage of PF in NetBSD is basically the same as in OpenBSD, but there are
a few differences. This page tries to explain the differences and
provides additional information about the port and integration of PF in
NetBSD.

To use PF, you don't need to compile your own kernel. In versions of
NetBSD prior to 6.0, you can use the LKM /usr/lkm/pf.o
. Use modload(8) to load the LKM:

# modload /usr/lkm/pf.o

To use PF with NetBSD 6.0 (on architectures that support modules), you
can use the module
/stand/<arch>/<release>/modules/pf/pf.kmod.
Use modload(8) to load the module (if it was not loaded at boot
time):

# modload pf

But if you prefer to use PF in the base kernel, then you need at least
the following option enabled:

To enable PF at boot-time, set pf=YES in
/etc/rc.conf.
Please note that the boot procedure will be aborted if the PF configuration
file doesn't exist
(see also Configuration).
To start, stop, restart or reload PF manually, you can use the rc.d script
/etc/rc.d/pf.

To enable pflogd(8) (the pf logging daemon) at boot-time,
set pflogd=YES in /etc/rc.conf.
To start, stop or restart pflogd(8) manually, you can use the rc.d
script /etc/rc.d/pflogd.

On NetBSD versions older than 6.0, to load the LKM at boot-time, you
need to set lkm=YES
in /etc/rc.conf and add the following line to
/etc/lkm.conf:

/usr/lkm/pf.o - - - - BEFORENET

Beginning with NetBSD 6.0, to load the module at boot-time (on
architectures that support modules), you simply need to edit
/etc/rc.conf as noted above.

If /usr is on another partition from the root partition, you'll also need to
add the following to /etc/rc.conf:

The default configuration file is /etc/pf.conf.
This can be changed by setting the variable pf_rules
in /etc/rc.conf.

The initial configuration file is
/etc/defaults/pf.boot.conf. This configuration is only
used during the network configuration to protect the machine from
possible attacks. You can override the default initial configuration by
creating a file named /etc/pf.boot.conf, but that
should not be needed in most setups.
Please see pf.boot.conf(5) for more information about this file.

The syntax of both configuration files are described in the manual page
pf.conf(5).

PF in bridging mode is supported, but you need to compile a new kernel
to enable packet filtering on a bridge. The following line should be added
to the kernel configuration:

options BRIDGE_IPF # bridge uses IP/IPv6 pfil hooks too

Configure the bridge as described in the
NetBSD Guide.
Then use the brconfig(8) command to enable packet filtering on the bridge:

# brconfig bridgeN ipf

The "ipf" option also applies to PF, because this option actually enables
the pfil(9) interface.
PF should now be able to filter packets on the interfaces configured as
the bridge. Note that it's only needed to filter on one interface because
the same data goes through both interfaces.

The 'group' keyword does nothing, because NetBSD doesn't keep the GID
in the uidinfo structure. This issue will probably be solved in a future
release.

Filtering on route labels is not working, NetBSD doesn't have labels
for routes. It is unknown whether this will be supported in a future release
or not.

The initial configuration file pf.boot.conf(5) is a NetBSD specific
file. OpenBSD loads the initial configuration for PF from /etc/rc which is
a bit clumsy in case you need to change it. For this reason has NetBSD
added a new file for the initial PF configuration.

spamd
was orginally imported into NetBSD, but it was removed before 3.0 was released.
It is not considered to be part of PF and has been made available via pkgsrc
(mail/spamd).